A completely side observation here in lieu of the usual “What’s Google+ ?” joke is that I find the Google+ experiment somewhat depressing. Points in lieu of good prose:
Google has amazingly deep pockets
Deep pockets allow enough runway to do real good, both technologically and sociologically AND maintain a business model
It seems that deep pockets guarantee neither a good product vision nor good “time to pull the plug” courage
As a counter balance, I look at google maps, especially google maps on a mobile phone which is of amazing utility, far more utility that the nonsense feed stream that Facebook, G+, twitter all supply. That my friends is a good product that I can see clearly has a business model that does not NEED to involve selling my individual private information to buyers. (Anonymized, aggregate information is pretty useful, as is plain old advertising - put my restaurant’s name on your map please, with ratings. - no paying to improve ratings!)
Now, if they had taken all the resources dumped into G+ and instead put that into google scholar (which for some reason is hidden now) I would be such a bigger fan …
There seems to be a weird implicit premise of an obligation to publicly disclose every vulnerability, even if it wasn’t exploited.
That’s emphatically not the world we’re in, Google, Facebook, Twitter, your bank, etc. all fix hundreds of vulnerabilities a year, without telling the public about a “potential breach”. While it’d be nice to know about them, it’d also be dangerous, absent some additional policy change, it’d provide a strong incentive to not look for bugs.
We have no reason to believe it wasn’t exploited. “However, Google says that it has no evidence to suggest any third-party developers were aware of the bug or abused it” (from the unpaywalled Verge article) is not the same as ‘Google says that it has evidence it wasn’t abused’. Firstly, why on earth would we believe Google when they say this? Secondly, is there any reason to suggest that any exploit would leave evidence? Google doesn’t have evidence it was exploited, okay, so what? It probably still was. Until they produce firm evidence it wasn’t exploited they have an obligation to tell us.
Anyway this wasn’t a vulnerability. Having vulnerable software installed then fixing it is not the same as exposing data publicly that should be private.
If you find and fix a vulnerability, it’s rare that you can say for certain that it wasn’t exploited.
If there is even the slightest chance that it may have been exploited, then it is dangerous not to let people know that you had a vulnerability, as it prevents them taking steps to minimise the damage. As an example, if I know that a third party may have had an opportunity to obtain my payment card details, I can cancel the card even if the potential attacker doesn’t appear to have used it yet.
I wonder how this privacy bug arose. Was it perhaps a developer deciding to serialize information about the users’ friends as JSON/XML “subobjects”, to be “helpful”, without considering the permissions that the friend had given to the app? In other words, was it a Confused Deputy bug?
Interesting? But paywalled.
[edit: try these!]
No doubt many more out there too.
A completely side observation here in lieu of the usual “What’s Google+ ?” joke is that I find the Google+ experiment somewhat depressing. Points in lieu of good prose:
As a counter balance, I look at google maps, especially google maps on a mobile phone which is of amazing utility, far more utility that the nonsense feed stream that Facebook, G+, twitter all supply. That my friends is a good product that I can see clearly has a business model that does not NEED to involve selling my individual private information to buyers. (Anonymized, aggregate information is pretty useful, as is plain old advertising - put my restaurant’s name on your map please, with ratings. - no paying to improve ratings!)
Now, if they had taken all the resources dumped into G+ and instead put that into google scholar (which for some reason is hidden now) I would be such a bigger fan …
See also https://lobste.rs/s/f11tcq/project_strobe_protecting_your_data
There seems to be a weird implicit premise of an obligation to publicly disclose every vulnerability, even if it wasn’t exploited.
That’s emphatically not the world we’re in, Google, Facebook, Twitter, your bank, etc. all fix hundreds of vulnerabilities a year, without telling the public about a “potential breach”. While it’d be nice to know about them, it’d also be dangerous, absent some additional policy change, it’d provide a strong incentive to not look for bugs.
We have no reason to believe it wasn’t exploited. “However, Google says that it has no evidence to suggest any third-party developers were aware of the bug or abused it” (from the unpaywalled Verge article) is not the same as ‘Google says that it has evidence it wasn’t abused’. Firstly, why on earth would we believe Google when they say this? Secondly, is there any reason to suggest that any exploit would leave evidence? Google doesn’t have evidence it was exploited, okay, so what? It probably still was. Until they produce firm evidence it wasn’t exploited they have an obligation to tell us.
Anyway this wasn’t a vulnerability. Having vulnerable software installed then fixing it is not the same as exposing data publicly that should be private.
If you find and fix a vulnerability, it’s rare that you can say for certain that it wasn’t exploited. If there is even the slightest chance that it may have been exploited, then it is dangerous not to let people know that you had a vulnerability, as it prevents them taking steps to minimise the damage. As an example, if I know that a third party may have had an opportunity to obtain my payment card details, I can cancel the card even if the potential attacker doesn’t appear to have used it yet.
I wonder how this privacy bug arose. Was it perhaps a developer deciding to serialize information about the users’ friends as JSON/XML “subobjects”, to be “helpful”, without considering the permissions that the friend had given to the app? In other words, was it a Confused Deputy bug?
It’s a little too close to what happened with Cambridge Analytica for comfort.